vcftools multiple vulnerabilities ================ Author : Webin security lab - dbapp security Ltd =============== Introduction: ============= A set of tools written in Perl and C++ for working with VCF files, such as those generated by the 1000 Genomes Project. Project website: https://vcftools.github.io/ Affected version: ===== 0.1.15 Vulnerability Description: ========================== 1. the header::add_INFO_descriptor function in header.cpp in vcftools 0.1.15 allow remote attackers to cause a information disclosure(heap-buffer-overflow OOB read) via a crafted vcf file. ./vcftools --vcf heap-buffer-overflow.vcf ==15884==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000368 at pc 0x0000005dd54f bp 0x7ffed30cd750 sp 0x7ffed30cd748 READ of size 8 at 0x603000000368 thread T0 #0 0x5dd54e in std::__cxx11::basic_string, std::allocator >::size() const /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:716:16 #1 0x5dd54e in header::str2int(std::__cxx11::basic_string, std::allocator > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:490 #2 0x5dd54e in header::add_INFO_descriptor(std::__cxx11::basic_string, std::allocator > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:128 #3 0x5d6746 in header::parse_meta(std::__cxx11::basic_string, std::allocator > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17 #4 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15 #5 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2 #6 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12 #7 0x7f462144282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #8 0x41ec18 in _start (/home/xxx/vcftools/afl-fuzz/vcftools+0x41ec18) 0x603000000368 is located 8 bytes to the right of 32-byte region [0x603000000340,0x603000000360) allocated by thread T0 here: #0 0x4e2e48 in __interceptor_malloc (/home/xxx/vcftools/afl-fuzz/vcftools+0x4e2e48) #1 0x7f46223c1e77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77) #2 0x5ee39c in std::vector, std::allocator >, std::allocator, std::allocator > > >::push_back(std::__cxx11::basic_string, std::allocator > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h:923:4 #3 0x5ee39c in header::tokenize(std::__cxx11::basic_string, std::allocator > const&, char, std::vector, std::allocator >, std::allocator, std::allocator > > >&) /home/xxx/vcftools/src/cpp/header.cpp:453 #4 0x5d986c in header::add_INFO_descriptor(std::__cxx11::basic_string, std::allocator > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:120:3 #5 0x5d6746 in header::parse_meta(std::__cxx11::basic_string, std::allocator > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17 #6 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15 #7 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2 #8 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12 #9 0x7f462144282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 Reproducer: heap-buffer-overflow.vcf CVE: CVE-2018-11099 2. The header::add_INFO_descriptor function in header.cpp in VCFtools 0.1.15 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted vcf file. ./vcftools --vcf uaf.vcf ==15368==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000001ff0 at pc 0x000000447851 bp 0x7ffe55a71430 sp 0x7ffe55a70be0 READ of size 17 at 0x603000001ff0 thread T0 #4 0x5da1b2 in header::add_INFO_descriptor(std::__cxx11::basic_string, std::allocator > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:145 #5 0x5d6746 in header::parse_meta(std::__cxx11::basic_string, std::allocator > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17 #6 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15 #7 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2 #8 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12 #9 0x7fd92c51482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #10 0x41ec18 in _start (/home/xxx/vcftools/afl-fuzz/vcftools+0x41ec18) 0x603000001ff0 is located 0 bytes inside of 18-byte region [0x603000001ff0,0x603000002002) freed by thread T0 here: #12 0x5edf6c in header::tokenize(std::__cxx11::basic_string, std::allocator > const&, char, std::vector, std::allocator >, std::allocator, std::allocator > > >&) /home/xxx/vcftools/src/cpp/header.cpp:448 #13 0x5d986c in header::add_INFO_descriptor(std::__cxx11::basic_string, std::allocator > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:120:3 #14 0x5d6746 in header::parse_meta(std::__cxx11::basic_string, std::allocator > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17 #15 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15 #16 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2 #17 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12 #18 0x7fd92c51482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 previously allocated by thread T0 here: #0 0x4e2e48 in __interceptor_malloc (/home/xxx/vcftools/afl-fuzz/vcftools+0x4e2e48) #1 0x7fd92d493e77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77) #2 0x5d986c in header::add_INFO_descriptor(std::__cxx11::basic_string, std::allocator > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:120:3 #3 0x5d6746 in header::parse_meta(std::__cxx11::basic_string, std::allocator > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17 #4 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15 #5 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2 #6 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12 #7 0x7fd92c51482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 Reproducer: uaf.vcf CVE: CVE-2018-11129 3. The header::add_FORMAT_descriptor function in header.cpp in vcftools allow remote attackers to cause a remote code execution(heap-use-after-free) via a crafted vcf file. ./vcftools --vcf uaf1.vcf ==15444==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000560 at pc 0x0000004b983c bp 0x7ffc678f42e0 sp 0x7ffc678f3a90 READ of size 2 at 0x606000000560 thread T0 #3 0x5e40ca in header::add_FORMAT_descriptor(std::__cxx11::basic_string, std::allocator > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:216 #4 0x5d7409 in header::parse_meta(std::__cxx11::basic_string, std::allocator > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:38:17 #5 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15 #6 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2 #7 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12 #8 0x7efe8ad9782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #9 0x41ec18 in _start (/home/xxx/vcftools/afl-fuzz/vcftools+0x41ec18) 0x606000000560 is located 0 bytes inside of 49-byte region [0x606000000560,0x606000000591) freed by thread T0 here: #12 0x5edf6c in header::tokenize(std::__cxx11::basic_string, std::allocator > const&, char, std::vector, std::allocator >, std::allocator, std::allocator > > >&) /home/xxx/vcftools/src/cpp/header.cpp:448 #13 0x5e408b in header::add_FORMAT_descriptor(std::__cxx11::basic_string, std::allocator > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:215:3 #14 0x5d7409 in header::parse_meta(std::__cxx11::basic_string, std::allocator > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:38:17 #15 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15 #16 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2 #17 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12 #18 0x7efe8ad9782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 previously allocated by thread T0 here: #0 0x4e2e48 in __interceptor_malloc (/home/xxx/vcftools/afl-fuzz/vcftools+0x4e2e48) #1 0x7efe8bd16e77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77) #2 0x5e408b in header::add_FORMAT_descriptor(std::__cxx11::basic_string, std::allocator > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:215:3 #3 0x5d7409 in header::parse_meta(std::__cxx11::basic_string, std::allocator > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:38:17 #4 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15 #5 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2 #6 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12 #7 0x7efe8ad9782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 Reproducer: uaf1.vcf CVE: CVE-2018-11130 =============================== Best, Webin security lab - dbapp security Ltd